"The trojanized software was distributed both as ZIP archives and as standalone installers for the aforementioned products. These files contain a legitimate signed executable for the corresponding product and a malicious DLL, which is named 'CRYPTBASE.dll' to leverage the DLL side-loading technique."
"The malicious DLL, for its part, contacts an external server and executes additional payloads, but not before performing anti-sandbox checks to sidestep detection. The end goal of the campaign is to deploy STX RAT, a RAT with HVNC and broad infostealer capabilities."
"STX RAT exposes a broad command set for remote control, follow-on payload execution, and post-exploitation actions (e.g., in-memory execution of EXE/DLL/PowerShell/shellcode, reverse proxy/tunneling, desktop interaction)."
CPUID, a website hosting hardware monitoring tools, was compromised for under 24 hours to serve malicious executables and deploy STX RAT. The breach occurred from April 9 to April 10, with download links for legitimate software replaced by malicious URLs. CPUID confirmed the attack was due to a compromise of a secondary API, but original signed files remained unaffected. The trojanized software included a legitimate executable and a malicious DLL named 'CRYPTBASE.dll', which executed additional payloads while avoiding detection. STX RAT offers extensive remote control and infostealer capabilities.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]